1. Trang chủ
  2. » Công Nghệ Thông Tin

cisco press router security strategies phần 2 potx

67 325 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 67
Dung lượng 6,41 MB

Nội dung

46 Chapter 1: Internet Protocol Operations Fundamentals CEF Operation CEF switching is enabled globally using the ip cef global configuration mode command, after which CEF switching is enabled on all CEF-capable interfaces by default. CEF can be enabled or disabled on a per-interface basis. CEF must be enabled on the ingress interface (whereas fast switching is enabled on the egress interface) to CEF switch packets, because CEF makes the forwarding decision on ingress. Use the interface configuration mode command ip route-cache cef to enable CEF, or the no version of the same command to disable CEF on the ingress interface. IP POS5/0.1 point2point(9) IP POS5/0.2 point2point(5) IP FastEthernet0/2 10.82.69.1(11) IP FastEthernet0/2 10.82.69.82(5) IP FastEthernet0/2 10.82.69.103(5) IP FastEthernet0/2 10.82.69.220(5) R1# Example 1-4 Displaying CEF FIB Table Information R1# show ip cef Prefix Next Hop Interface 0.0.0.0/0 12.0.0.2 Serial4/1 0.0.0.0/32 receive 10.0.0.0/8 10.82.69.1 FastEthernet0/0 10.82.69.0/24 attached FastEthernet0/0 10.82.69.0/32 receive 10.82.69.1/32 10.82.69.1 FastEthernet0/0 10.82.69.82/32 10.82.69.82 FastEthernet0/0 10.82.69.121/32 receive 10.82.69.220/32 10.82.69.220 FastEthernet0/0 10.82.69.255/32 receive 172.0.0.0/30 attached Serial4/1 172.0.0.0/32 receive 172.0.0.1/32 receive 172.0.0.3/32 receive 172.12.12.0/24 attached Loopback12 172.12.12.0/32 receive 172.12.12.12/32 receive 172.12.12.255/32 receive 192.168.100.0/24 172.0.0.2 Serial4/1 224.0.0.0/4 drop 224.0.0.0/24 receive R1# Example 1-3 Displaying CEF Adjacency Table Information (Continued) IP Router Packet Processing Concepts 47 A distributed version of CEF is available for the 7500, 7600, and Cisco 12000 routers. On the Cisco 12000 GSR, CEF is enabled by default and in fact is the only version of switching available on that platform although multiple forwarding paths exist within the router architecture. Each time a packet is received on a CEF-enabled interface, the CEF process forwards the packet, as illustrated in Figure 1-13 and explained next: 1 CEF switching begins exactly like the other switching methods. First, the network interface hardware receives the packet and transfers it into I/O memory. The network interface interrupts the CPU, alerting it to the ingress packet waiting in I/O memory for processing. IOS updates its inbound packet counters. 2 The IOS interrupt software inspects the packet header information (encapsulation type, network layer header, and so forth) and determines that it is an IP packet. Instead of placing the packet on the input queue for CPU processing, however, the interrupt software consults the FIB for an entry matching the destination address. If an entry exists, the interrupt software retrieves the pre-built Layer 2 header information from the adjacency table, and builds the packet for forwarding. Finally, the interrupt software alerts the outbound interface. 3 The outbound network interface hardware senses the packet, dequeues it from I/O memory, and transmits it on to the network. 4 If the destination address is not found in the FIB, instead of reverting to fast switching and then process switching, CEF simply drops the packet which causes a CPU hit for the resultant ICMP destination unreachable (type 3) generation. Fast switching has no visibility into the routing table. It depends on process switching to build the fast cache on the fly. Thus, fast switching can never assume that if a destination prefix does not exist in the cache, the packet has an unreachable destination. CEF, however, pre-builds the FIB based on the routing table. Thus, if no entry exists in the FIB, then a valid destination prefix never will be found, regardless of switching mechanisms. This is one of the best features of CEF; no processor load is expended for unresolved destinations. 48 Chapter 1: Internet Protocol Operations Fundamentals Figure 1-13 Illustration of CEF Switching From an IP traffic plane perspective, CEF switching primarily not only helps accelerate the forwarding of transit data plane traffic, but also performs consistent operations for many other packet types. This is exactly what is needed for building and running higher-speed networks with high packet rates. All traffic planes and packet types exist in any network, not to mention malicious packets. All of these packet types must be handled within the network, but not all of these packets can be CEF switched. When this is the case, routers must invoke alternate processing functions, often impacting performance. It is most critical in networks to classify traffic planes and protect router resources. Let’s take a look at each traffic plane again from the perspective of CEF switching: • Data plane: CEF switching operations were developed to speed delivery of data plane transit traffic. These packets will be CEF switched when a FIB entry exists and will be dropped when a FIB entry does not exist. Dropping packets with unresolved destinations gives CEF a tremendous advantage over other switching methods because no CPU involvement is necessary simply to drop these packets. You should be aware, however, that dropping these packets does cause the generation of an ICMP L3 Packet L3 Packet L2 Frame L2 Frame Input Queue Interface Processor Interface Processor CEF Switching Drop Packet No Yes Update Processing IP Routing Table Output Queue CEF Tables FIB and Adjacency Entry in FIB? Software Process Interrupt Processing IP Router Packet Processing Concepts 49 unreachable error message. On most routers, ICMP packets are generated by the CPU. Thus, even with CEF switching, some CPU impacts can be seen when high rates of ICMP unreachable messages are generated. As you will learn in Chapter 4, ICMP unreachable message generation can be rate-limited or disabled. Preventing spoofed or malicious packets from abusing the data plane will also help protect router and network resources. As with other switching methods, additional processing is required to handle data plane exception packets as well. For example, TTL = 0 packets must be dropped and reply ICMP error messages must be generated and transmitted. Packets with IP options may also require additional processing to satisfy the invoked option. CEF does use special adjacencies to switch these types of packets to the appropriate handlers, which means the CPU is not involved in the switching portion of the operation. Nonetheless, the CPU may be required to process these packets after CEF. When the ratio of exception packets becomes large in comparison to normal transit packets, router resources can be taxed, potentially affecting network stability. These and other concepts are explored further in Chapter 2. Chapter 4 explores in detail the concepts for protecting the data plane. • Control plane: Control plane packets with transit destinations are CEF switched exactly like data plane transit packets. Control plane packets with receive destinations and non-IP exception packets (for example, Layer 2 keepalives, IS-IS, and so on) are switched by special adjacencies in CEF to the CPU for processing. Additional resources are consumed to fully process these packets. Thus, regardless of the switching method invoked, receive and non-IP control plane packets must be processed by the CPU, potentially causing high CPU utilization. High CPU utilization could affect the synchronization of CEF tables (for example, when routing table updates must be computed), resulting in dropped traffic. It is critical to prevent spoofed and other malicious packets from impacting the control plane, potentially consuming router resources and disrupting overall network stability. Chapter 5 explores these concepts in detail. • Management plane: Management plane packets with transit destinations are CEF switched exactly like data plane transit packets. Management plane packets with receive destinations are switched by special adjacencies in CEF to the CPU for processing. Additional resources are consumed to fully process these packets and provide the appropriate network management service. Management plane traffic should not contain IP exception packets (again, MPLS OAM being one exception), but may contain non-IP (Layer 2) exception packets (generally in the form of CDP packets). Under normal circumstances, management plane traffic should have little impact on CPU performance. It is possible that some management actions, such as conducting frequent SNMP polling or turning on debug operations, or the use of NetFlow may cause high CPU utilization. High CPU utilization could affect the synchronization of CEF tables (for example, when routing table updates must be 50 Chapter 1: Internet Protocol Operations Fundamentals computed), resulting in dropped traffic. Because management plane traffic is handled directly by the CPU, the opportunity for abuse makes it critical that management plane security be implemented. Chapter 6 explores these concepts in detail. • Services plane: Services plane packets generally require special processing by the router. Examples include things like performing some encapsulation function (for example, GRE, IPsec, or MPLS VPN), or performing some QoS or policy routing function. Some of these operations can be handled by CEF switching and some cannot. If a feature or encapsulation is not supported in CEF, the packet is passed to the next switching level (for most routers this would be fast switching), which tries to switch the packet by using its cache. If it cannot be switched at the interrupt level, the packet is placed into the IP processing queue for direct CPU handling. CEF fails to switch packets only because of unsupported features. When this occurs, services plane packets may have a large impact on CPU utilization. The main concern then is to protect the integrity of the services plane by preventing spoofed or malicious packets from impacting the CPU. Chapter 7 explores these concepts in detail. General IP Router Architecture Types Now that the main switching methods available in IOS today have been reviewed, and the impact of various IP traffic planes on their operation and performance has been described, it is worth looking at the various hardware architectures used in Cisco routers. Although most Cisco routers implement all of the switching methods described in the previous section, some do not. In addition, hardware variations lead to different performance levels for each of the IP traffic planes. Thus, it is important to understand the performance envelop for each platform inserted in the network. This section gives special attention to the way in which malicious traffic can affect router hardware architectures. Increases in performance and the demand for integrated services have driven substantial changes in router hardware. Most Cisco routers use only one active route processor, even if more than one is installed. Thus, processing is done in one central location. Some routers incorporate specialized ASIC hardware to accelerate switching performance. Still others use distributed hardware architectures to achieve the highest forwarding rates. The following sections provide general overviews of the basic hardware architectures used by Cisco routers today. These architectures are covered in sufficient detail to provide a good understanding of how various IP traffic planes impact their performance. Many excellent references provide much deeper insights into router architectures. Check the “Further Reading” section at the end of this chapter for specific recommendations. Centralized CPU-Based Architectures The architecture used by the original Cisco routers, and several generations of enterprise- class routers that have followed, is the centralized CPU-based design. Routers in this category that you will find in service today include the 800, 1600, 1700, 2500, 2600, 3600, General IP Router Architecture Types 51 RPM-PR, and 3700 series models. The long-lived 7200 series and the newer 1800, 2800, and 3800 series Integrated Services Routers (ISR) also use a centralized CPU-based architecture. Centralized CPU-based architectures rely on a single CPU to perform all functions required by the router. This includes such functions as the following: • Supporting all networking functions, such as running and maintaining routing protocols and cache states, link states, interfaces and global counters, error packet (ICMP) generation, and other network control functions • Supporting all packet forwarding and processing functions, including applying all services such as access lists, NAT, QoS, and so on as might be applied to packets during the forwarding process • Supporting all housekeeping functions, such as servicing configuration and management functions, including command-line configuration, SNMP and syslog support, and other device management functions All of these (and other) functions are handled within Cisco IOS Software. Cisco IOS is a monolithic operating system; all software modules are statically compiled and linked at build time, operating in a run-to-completion model within a single address space. In this kind of model, faults in one function can cause disruptions in other functions. In the previous section you learned about three different kinds of switching methods, each of which has different levels of interaction and, hence, impact on the CPU. A typical centralized CPU-based architecture is shown in Figure 1-14. Advances in bus architecture, memory size and speed, and CPU processor performance and the addition of specialty, task-oriented chipsets have led to improvements in overall router performance. However, even with these advances and additions, centralized CPU-based devices will always be limited in overall performance given the processing constraints of the CPU-based architecture. As illustrated in Figure 1-14, the central CPU provides support for router maintenance (CLI, management functions, and so on), for running the routing protocols, and for computing the FIB and adjacency tables described in the previous section. The FIB and adjacency table information is stored in memory attached to the CPU. All packets transiting the router (in other words, that ingress and egress through various interfaces) are processed within the CPU interrupt process if CEF is capable of switching the packet. Packets that cannot be handled by CEF are punted (switched out of the fast path) for direct handling by the CPU in software processing (slow path). Packets in this group include all receive packets, which under normal conditions means control plane, management plane traffic, plus all exception IP and non-IP packets. Routers in this category are still quite adequate for most small to medium-sized enterprise locations where low bandwidth but rich, integrated service requirements are found. These routers represent an excellent trade-off between acceptable performance, application of integrated services, and cost. Their lack of capacity for high-speed service delivery and dense aggregation solutions means that other architectures must be explored. 52 Chapter 1: Internet Protocol Operations Fundamentals Figure 1-14 Centralized CPU-Based Router Architecture Centralized ASIC-Based Architectures As network demands increased, CPU-based architectures alone were unable to provide acceptable performance levels. To overcome this shortcoming, modern centralized CPU- based platforms began to include forwarding ASICs in the architecture in order to offload some processing duties from the CPU and improve upon overall device performance. This category of devices includes the ubiquitous Catalyst 6500 switch family, the Cisco 7600 router family, the Cisco 7300 and RPM-XF PXF-based routers, and the Cisco 10000 Edge Services Router (ESR) family. You will most frequently find these devices in large-scale aggregation environments (such as at the service provider network edge), and medium- to large-scale enterprise and data center environments where large numbers of flows and high switching rates are common. Data Plane Adj. FIB Interrupt Level Data Plane …. Flash DRAM Console Interface Processor Interface Processor Interface Processor Bus CPU …. …. …. …. …. …. Control Plane OSPF Management Plane Process Level OSPF User ISIS IGMP MPLSBGP SNMP SSH FTP syslog CLI General IP Router Architecture Types 53 Retaining the centralized architecture makes sense when trading off cost, complexity, and performance. Of course, the single CPU still performs many of the functions described in the preceding section, such as supporting all networking and housekeeping functions. The ASIC incorporated into the architecture provides the ability to apply very complex operations, such as access control lists (ACL), QoS, policy routing, and so on while maintaining very high-performance forwarding rates. A typical centralized ASIC-based architecture is shown in Figure 1-15, which illustrates at a high level the Cisco 10000 ESR forwarding architecture. The Cisco 10000 ESR forwarding functions shown in Figure 1-15 are carried out in the Performance Routing Engine (PRE). The PRE includes a central CPU to support router maintenance (CLI, management functions, ICMP, and so on) and to run the routing protocols and compute the FIB and adjacency tables. Once the CPU builds these FIB and adjacency tables, this information is pushed into the Parallel Express Forwarding (PXF) ASIC structure. All packets transiting the router (in other words, that ingress and egress through various line cards) are processed by the PXF. The CPU is not involved in forwarding packets. If other services are configured, such as the application of ACLs, QoS, policy routing, and so on, they are also configured and applied in the PXF ASIC structures. Certain packets and features cannot be processed within ASIC architectures. These packets are punted to the supporting CPU for full processing. Packets falling into this group include all receive packets, which essentially means all control plane and management plane packets, and all exception packets. ASICs are designed to perform high-speed operations on a well- defined set of packets. Buffers, memory allocations, and data operations are designed for typical packets with 20-byte IP headers, for example. Packets that include IP options in the header exceed the 20-byte limit, and thus cannot be handled in the ASIC. Packets like these are punted to the CPU for handling in the slow path, meaning their processing speed is much slower. Because the ASIC is forwarding packets independently from the CPU, some amount of punts will not impact the overall platform throughput for normal, transit traffic. However, when the rate of exceptions becomes large, forwarding performance may be impacted. IP traffic plane security must be developed with an understanding of how forwarding is accomplished in this centralized ASIC-based architecture, including a detailed understanding of how exception packets affect the performance envelop for the platform. The mechanisms for securing each traffic plane are covered in detail in Section II. The centralized ASIC-based architecture offers excellent trade-offs between performance, application of integrated services, and cost. Routers in this category are well suited for their intended environments. Yet they are not adequate when the very highest throughputs are required. The centralized nature of any platform limits forwarding rates to the speed of the single forwarding engine. To achieve even faster forwarding rates, different architectures must be used, specifically distributed architectures. 54 Chapter 1: Internet Protocol Operations Fundamentals Figure 1-15 Centralized ASIC-Based Router Architecture NOTE Centralized ASIC-based routers may have higher performance than certain distributed CPU-based routers. Distributed CPU-Based Architectures Routers used in large-scale networks require not only high packet-forwarding performance, but also high port densities. High port densities reduce the overall hardware costs, as well as the operational costs because fewer devices need to be managed. These demands have constantly driven router architectures to keep pace. Two approaches can be taken to increase the forwarding speed of a router. The first, which you just learned about, is to retain the centralized processing approach but increase the CPU speed or add hardware-based (ASIC) high-speed forwarding engines. This architecture runs into limitations at some point in both maximum packet-forwarding rates and port density. Data Plane Adj. FIB ASIC-Based Data Plane …. …. …. …. …. …. …. Control Plane OSPF Management Plane Process Level ISIS IGMP MPLSBGP SNMP SSH FTP syslog CLI Uplink FPGA Performance Routing Engine Access FPGA 12X10/100 ASIC 12X10/100 ASIC 10/100 PHY 10/100 PHY RAC RAC Framer Framer Optics Optics Packet Forwarding Engine Route Processor ASIC- Based PXF Console RISC 5K Use r BGP General IP Router Architecture Types 55 The other approach breaks the router into discrete line cards, each capable of supporting a number of network interfaces, and “distributing” the processing and forwarding functions out to each line card. In the earlier section on CEF switching, you learned that CEF pre- computes the FIB and adjacency tables, and then populates the forwarding engine with these tables. You can see how CEF is ideally suited for a distributed architecture where each line card has the intelligence to forward packets as they ingress the router. In this case, each line card is capable of switching packets, bringing the switching function as close to the packet ingress point as possible. The other component required to complete the distributed architecture is a high-speed bus or “switching fabric” to connect the line cards into what logically appears to the routing domain as a single router. Early distributed architecture systems used CPU-based forwarding engines. These early distributed CPU-based devices include the Cisco 7500 series routers and early Cisco 12000 Gigabit Switch Router (GSR) family line cards (in other words, Engine 0 and Engine 1). Figure 1-16 shows the Cisco 7500 router to illustrate the basics of the distributed CPU-based architecture. Figure 1-16 Distributed CPU-Based Router Architecture Route Switch Processor (RSP) FLASH Fast Memory Processor Memory CPU Packet Memory …. …. …. …. …. …. …. Control Plane OSPF Management Plane Process Level IS-IS IGMP MPLSBGP SNMP SSH FTP syslog CLI Data Plane Adj. FIB IP Routing Table Console Versatile Interface Processor (VIP) DRAM CPU PHY Versatile Interface Processor (VIP) DRAM CPU PHY Data Bus Data Plane Interrupt Level Data Plane Adj. FIB Data Plane Interrupt Level Data Plane Adj. FIB User Us er OSP F [...]... State/Mode continues 74 Chapter 2: Threat Models for IP Networks Example 2- 1 IOS Sample Output from the show ip mroute Command (Continued) (*, 22 4.0 .25 5.3), uptime 5 :29 :15, RP is 1 92. 168.37 .2, flags: SC Incoming interface: Tunnel0, RPF neighbor 10.3.35.1, Dvmrp Outgoing interface list: Ethernet0, Forward/Sparse, 5 :29 :15/0: 02: 57 (1 92. 168.46.0 /24 , 22 4.0 .25 5.3), uptime 5 :29 :15, expires 0: 02: 59, flags: C Incoming... products_white_paper0900aecd803e508c.shtml Cisco CRS-1 Carrier Routing System Security Application Note.” Cisco white paper http://www .cisco. com/en/US/products/ps5763/ products_white_paper09186a008 022 d5ec.shtml “IP Services Engine Line Cards.” Cisco Documentation http://www .cisco. com/univercd/cc/td/doc/product/software/ ios 120 / 120 newft/ 120 limit/ 120 s/ 120 s19/ise.htm “Parallel Express Forwarding on the Cisco 10000 Series.” Cisco white... basic router architecture types Further Reading 63 Further Reading Bollapragada, V., C Murphy, and R White Inside Cisco IOS Software Architecture Cisco Press, 20 00 ISBN: 1-57870-181-3 Stevens, W Richard TCP/IP Illustrated, Volume 1 Addison-Wesley Professional, 1993 ISBN: 0 -20 163-346-9 Cisco 120 00 Series Internet Router Architecture: Line Card Design.” Cisco Tech Note (Doc ID: 4 724 2.) http://www .cisco. com/en/US/partner/products/hw/routers/... http://www .cisco. com/en/US/partner/products/hw/routers/ ps167/products_tech_note09186a00801e1dbd.shtml Cisco 120 00 Series Internet Router Architecture: Packet Switching.” Cisco Tech Note (Doc ID: 47 320 .) http://www .cisco. com/en/US/partner/products/hw/routers/ ps167/products_tech_note09186a00801e1dc1.shtml Cisco Catalyst 6500 Supervisor Engine 32 Architecture.” Cisco white paper http://www .cisco. com/en/US/products/hw/switches/ps708/... http://www .cisco. com/en/US/partner/products/hw/ routers/ps133/products_white_paper09186a008008902a.shtml “Switching Path.” Section in “Performance Tuning Basics.” Cisco Tech Note (Doc ID: 128 09.) http://www .cisco. com/warp/public/63/tuning.html “Tracing a Packet from Network Ingress to Egress, or ‘The Life of a Packet.’” Cisco Tech Note (Doc ID: 13713.) http://www .cisco. com/warp/public/105/ 42. html In... Figure 2- 6, which shows the different receive and transit treatment between IP edge and MPLS core routers, respectively Because the core router is configured for MPLS, it is not required to run BGP Internal BGP traffic between IP edge routers is handled as transit traffic by the core router Figure 2- 6 Example Receive Versus Transit Control Plane Treatment SP -2 SP-1 eBGP iBGP Edge Router eBGP Edge Router. .. destination address of the target router Transit packet flood attacks do not specify the target router as the IP destination address, but rather use crafted packets to trigger a DoS condition on an intermediate IP router in the forwarding path of the packet’s specified destination That is, the intermediate router is the “target” of the attack, as illustrated in Figure 2- 2 Figure 2- 2 Transit DoS Attack Internet... references cover in more detail the significant Cisco router architectures One such reference, Inside Cisco IOS Software Architecture, provides excellent coverage of the Cisco 7500 and Cisco 120 00 GSR A list of suggested references is provided in the “Further Reading” section at the end of this chapter In summary, the following can be stated about all the router architectures described in this chapter:... (LSP) Ping and Traceroute (RFC 4379) DVMRP (RFC 1075) RSVP (RFC 22 05) MPLS TE (RFC 27 02 and RFC 320 9) Given their limited deployment and complex processing requirements resulting from the variable-sized IP header, routers do not support CEF fast path forwarding of IP options packets As a result, packets with IP options are punted to the Cisco IOS process-level slow path for data plane forwarding As... FIB simply has destination addresses paired with the outgoing line card only There is no binding to Layer 2 addresses at this point The egress line card does a second lookup to determine Layer 2 header details.) General IP Router Architecture Types NOTE 61 The Cisco 120 00 GSR is also able to run Cisco IOS XR Software with appropriate route processor and line card hardware installed It is worth noting . receive 1 72. 0.0.3/ 32 receive 1 72. 12. 12. 0 /24 attached Loopback 12 1 72. 12. 12. 0/ 32 receive 1 72. 12. 12. 12/ 32 receive 1 72. 12. 12. 255/ 32 receive 1 92. 168.100.0 /24 1 72. 0.0 .2 Serial4/1 22 4.0.0.0/4 drop 22 4.0.0.0 /24 . FastEthernet0/0 10. 82. 69. 82/ 32 10. 82. 69. 82 FastEthernet0/0 10. 82. 69. 121 / 32 receive 10. 82. 69 .22 0/ 32 10. 82. 69 .22 0 FastEthernet0/0 10. 82. 69 .25 5/ 32 receive 1 72. 0.0.0/30 attached Serial4/1 1 72. 0.0.0/ 32 receive 1 72. 0.0.1/ 32 receive 1 72. 0.0.3/ 32. POS5/0.1 point2point(9) IP POS5/0 .2 point2point(5) IP FastEthernet0 /2 10. 82. 69.1(11) IP FastEthernet0 /2 10. 82. 69. 82( 5) IP FastEthernet0 /2 10. 82. 69.103(5) IP FastEthernet0 /2 10. 82. 69 .22 0(5) R1# Example

Ngày đăng: 14/08/2014, 18:20

TỪ KHÓA LIÊN QUAN